Privacy & Information Security Law Blog

On January 29, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report (in Dutch) on the personal data breach notifications received in 2018 (the “Report”). The EU General Data Protection Regulation (the “GDPR”) requires data controllers to notify a personal data breach to the competent Data Protection Authority (“DPA”) within 72 hours after becoming aware of it. In the Netherlands, this breach notification requirement has been in place since January 1, 2016. However, the GDPR imposed additional requirements, including: providing certain information in a breach notification; data controllers’ mandatory obligation to notify affected individuals if the breach is likely to result in a high risk to the rights and freedoms of those individuals; companies duty to document any personal data breaches.

In January 2019, Hunton Andrews Kurth celebrates the 10-year anniversary of our award-winning Privacy and Information Security Law Blog. Over the past decade, we have worked hard to provide timely, cutting-edge updates on the ever-evolving global privacy and cybersecurity legal landscape. Ten Years Strong: A Decade of Privacy and Cybersecurity Insights is a compilation of our blog’s top ten most read posts over the decade, and addresses some of the most transformative changes in the privacy and cybersecurity field.

Read Ten Years Strong: A Decade of Privacy and Cybersecurity ...

On January 25, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted formal comments to the International Conference of Data Protection and Privacy Commissioners (the “International Conference”) on its Declaration on Ethics and Data Protection in Artificial Intelligence (the “Declaration”). The Declaration was adopted by the International Conference on October 23, 2018, for public consultation.

On January 22, 2019, the European Data Protection Board (“EDPB”) issued a report on the Second Annual Review of the EU-U.S. Privacy Shield (the “Report”). Although not binding on EU or U.S. authorities, the Report provides guidance to regulators in both jurisdictions regarding implementation of the Privacy Shield and highlights the EDPB’s ongoing concerns with regard to the Privacy Shield. We previously blogged about the European Commission’s report on the second annual review of the Privacy Shield, and the joint statement of the European Commission and Department of Commerce regarding the second annual review.

On January 16, 2019, Hunton Andrews Kurth hosted a breakfast seminar in London, entitled “GDPR: Post Implementation Review.” Bridget Treacy, Aaron Simpson and James Henderson from Hunton Andrews Kurth and Bojana Bellamy from the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth discussed some of the challenges and successes companies encountered in implementing the EU General Data Protection Regulation (the “GDPR”), and also identified key data protection challenges that lie ahead. The Hunton team was joined by Neil Paterson, Group Data Protection Coordinator of TUI Group; Miles Briggs, Data Protection Officer of TUI UK & Ireland; and Vivienne Artz, Chief Privacy Officer at Refinitiv, who provided an in-house perspective on the GDPR.

On December 29, 2018, the UK Information Commissioner’s Office announced that Elizabeth Denham, UK Information Commissioner, was awarded a CBE for her services to protecting information. Denham’s award was announced in the United Kingdom’s 2019 New Year’s Honours list. This honor reflects Denham’s achievements as the UK Information Commissioner and the enhanced leadership, visibility and impact that she has brought to the role and the Office.

The Illinois Supreme Court ruled today that an allegation of “actual injury or adverse effect” is not required to establish standing to sue under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”). This post discusses the importance of the ruling to current and future BIPA litigation.

The Belgian Data Protection Authority (the “Belgian DPA”) recently published on its website a form to be completed for prior consultation in the context of a data protection impact assessment (“DPIA”).

On January 21, 2019, the French Data Protection Authority (the “CNIL”) imposed a fine of €50 million on Google LLC under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile device and create a Google account, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. The CNIL’s enforcement action was the result of collective actions filed by two not-for-profit associations. This fine against Google is the first fine imposed by the CNIL under the GDPR and the highest fine imposed by a supervisory authority within the EU under the GDPR to date.

On January 23, 2019, the European Commission announced that it has adopted its adequacy decision on Japan (the “Adequacy Decision”). According to the announcement, Japan has adopted an equivalent decision and the adequacy arrangement is applicable with immediate effect.

Hundreds of contractors and subcontractors with connections to U.S. electric utilities and government agencies have been hacked, according to a recent report by the Wall Street Journal. The U.S. government has linked the hackers to a Russian state-sponsored group, sometimes called Dragonfly or Energetic Bear. The U.S. government alerted the public that the hacking campaign started in March 2016, if not earlier, although many of its victims were unaware of the incident until notified by the Federal Bureau of Investigation and Department of Homeland Security, the Wall Street Journal reports.

On January 18, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on the territorial scope of the GDPR (the “Guidelines”). The Guidelines were adopted by the EDPB on November 16, 2018, for public consultation.

On January 16, 2019, the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (the “Dutch DPA”), announced that it had requested 30 private organizations provide information about the agreements they have with other entities that process personal data on their behalf. The Dutch DPA indicated that the targeted organizations are mainly in energy, media and trade sectors.

On January 15, 2019, the UK House of Commons rejected the draft Brexit Withdrawal Agreement negotiated between the UK Prime Minister and the EU by a margin of 432-202. While the magnitude of the loss sets in motion a process which could potentially have resulted in an early general election being held, on January 16 a majority of British Members of Parliament rejected a vote of no confidence in Theresa May’s government.

As we move closer to implementation of the California Consumer Privacy Act of 2018 (“CCPA”), companies should consider how the new law could affect their operations in multiple ways – including, for example, data collected through their employee benefit plans.

On January 10, 2019, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the case of Google v. CNIL, which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views concerning the territorial scope of the right to be forgotten under the relevant EU Data Protection Directive in the case at hand.

As we previously reported in February 2017, an Illinois federal judge denied a motion to dismiss two complaints brought under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”) by individuals who alleged that Google captured, without plaintiff’s consent, biometric data from facial scans of images that were uploaded onto Google Photos. The cases subsequently were consolidated, and on December 29, 2018, the Northern District of Illinois dismissed the case on standing grounds, finding that despite the existence of statutory standing under BIPA, neither plaintiff had claimed any injury that would support Article III standing.

On January 10, 2019, Massachusetts Governor Charlie Baker signed legislation amending the state’s data breach law. The amendments take effect on April 11, 2019.

The U.S. Department of Health and Human Services (“HHS”) recently announced the publication of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (the “Cybersecurity Practices”). The Cybersecurity Practices were developed by the Healthcare & Public Health Sector Coordinating Councils Public Private Partnership, a group comprised of over 150 cybersecurity and healthcare experts from government and private industry.

On October 22, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP co-hosted a workshop in Brussels on “Can GDPR Work for Health Scientific Research?” (the “Workshop”) with the European Federation of Pharmaceutical Industries and Associations (“EFPIA”) and the Future of Privacy Forum (“FPF”) to address the challenges raised by the EU General Data Protection Regulation (“GDPR”) in conducting scientific health research.

On November 30, 2018, the Austrian Data Protection Authority (“DPA”) published a decision in response to a complaint received from an individual regarding the cookie consent options offered on an Austrian newspaper’s website. As a factual matter, the Austrian newspaper offered three options to individuals who sought to access content on the site: (1) accept the use of cookies for analytics and advertising purposes and have full, complimentary website access; (2) refuse cookies and obtain access to only limited content on the website; or (3) pay a monthly subscription of €6 to obtain full access to the website without accepting the use of cookies and similar tracking technologies.

The California Department of Justice will host six public forums on the California Consumer Privacy Act of 2018 (“CCPA”) to provide the general public an opportunity to participate in the CCPA rulemaking process. Individuals may attend or speak at the events or submit written comments by email to privacyregulations@doj.ca.gov or by mail to the California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.

On December 27, 2018, the French Data Protection Authority (the “CNIL”) announced that it imposed a fine of €250,000 on French telecom operator Bouygues Telecom for failing to protect the personal data of the customers of its mobile package B&YOU.

On December 28, 2018, the French Data Protection Authority (the “CNIL”) published guidance regarding the conditions to be met by organizations in order to lawfully share personal data with business partners or other third parties, such as data brokers. The guidance focused, in particular, on such a scenario in the context of the EU General Data Protection Regulation (“GDPR”). The CNIL guidance sets forth the 5 following conditions:

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.

On December 21, 2018, the Irish Data Protection Commission (the “DPC”) published preliminary guidance on data transfers to and from the UK in the event of a “no deal” Brexit (the “Guidance”). The Guidance is relevant for any Irish entities that transfer personal data to the UK, including Northern Ireland.